Poppler 22.09.0 has been released on September 1, fixing a security issue: https://poppler.freedesktop.org/releases.html The issue is similar to CVE-2022-38171 for xpdf (Bug 30804). I don't know if there are/were issues in poppler similar to the other CVEs in Bug 30804 or if we've addressed them yet. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 22.09.0
poppler-22.09.0-1.mga9 uploaded for Cauldron by Jani.
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Some more background on this: https://www.openwall.com/lists/oss-security/2022/09/02/11
Debian has issued an advisory for this on September 6: https://www.debian.org/security/2022/dsa-5224
Ubuntu has issued an advisory for this on September 12: https://ubuntu.com/security/notices/USN-5606-1
(In reply to David Walser from comment #4) > Ubuntu has issued an advisory for this on September 12: > https://ubuntu.com/security/notices/USN-5606-1 A further update was needed to complete the fix: https://ubuntu.com/security/notices/USN-5606-2
Fedora has issued an advisory for this today (September 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQAO6O2XHPQHNW2MWOCJJ4C3YWS2VV4K/
Debian-LTS has issued an advisory for this today (September 26): https://www.debian.org/lts/security/2022/dla-3120
Suggested advisory: ======================== The updated packages fix a security vulnerability: Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf. (CVE-2022-38784) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38784 https://www.openwall.com/lists/oss-security/2022/09/02/11 https://www.debian.org/security/2022/dsa-5224 https://ubuntu.com/security/notices/USN-5606-1 https://ubuntu.com/security/notices/USN-5606-2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQAO6O2XHPQHNW2MWOCJJ4C3YWS2VV4K/ https://www.debian.org/lts/security/2022/dla-3120 ======================== Updated packages in core/updates_testing: ======================== lib(64)poppler105-20.12.1-1.2.mga8 lib(64)poppler-cpp0-20.12.1-1.2.mga8 lib(64)poppler-cpp-devel-20.12.1-1.2.mga8 lib(64)poppler-devel-20.12.1-1.2.mga8 lib(64)poppler-gir0.18-20.12.1-1.2.mga8 lib(64)poppler-glib8-20.12.1-1.2.mga8 lib(64)poppler-glib-devel-20.12.1-1.2 lib(64)poppler-qt5_1-20.12.1-1.2.mga8 lib(64)poppler-qt5-devel-20.12.1-1.2.mga8 poppler-20.12.1-1.2.mga8 from SRPM: poppler-20.12.1-1.2.mga8.src.rpm
CVE: (none) => CVE-2022-38784CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 22.09.0 => (none)Source RPM: poppler-22.07.0-1.mga9.src.rpm => poppler-20.12.1-1.1.mga8.src.rpmStatus: NEW => ASSIGNEDAssignee: jani.valimaa => qa-bugs
MGA8, x64 Started with lib64poppler-cpp-devel-20.12.1-1.1.mga8 lib64poppler-gir0.18-20.12.1-1.1.mga8 lib64poppler-qt5-devel-20.12.1-1.1.mga8 lib64poppler-glib8-20.12.1-1.1.mga8 lib64poppler-devel-20.12.1-1.1.mga8 lib64poppler-cpp0-20.12.1-1.1.mga8 lib64poppler-glib-devel-20.12.1-1.1.mga8 lib64poppler105-20.12.1-1.1.mga8 lib64poppler-qt5_1-20.12.1-1.1.mga8 $ urpmq --whatrequires lib64poppler105-20.12.1| uniq | grep -v lib64poppler calligra-stage calligra-words gambas3-gb-pdf gambas3-gb-poppler inkscape lib64gdal27 lib64kpimitinerary5 libreoffice-pdfimport openboard pdf2djvu poppler scribus texlive Updated the whole list from testing: qarepo(* fuzzy) -> MageiaUpdate. Referred to bug 30690 for testing. $ pdftohtml UsingDocker.pdf docker.html 355 pages converted. Viewed docker.html with firefox which displayed a page index as a lefthand column of links and the text and graphics to the right. Tried the other pdf utilities and noted no regressions. Installed pdf2djvu. $ strace -o djvu.trace pdf2djvu -o test.djv module_cheat_sheet.pdf module_cheat_sheet.pdf: - page #1 -> #1 0.021 bits/pixel; 6.079:1, 83.55% saved, 136259 bytes in, 22416 bytes out $ ll *.djv -rw-r--r-- 1 lcl lcl 22416 Oct 19 23:45 test.djv $ grep poppler djvu.trace openat(AT_FDCWD, "/lib64/libpoppler.so.105", O_RDONLY|O_CLOEXEC) = 3 Looks like this can go out.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 8.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0386.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED